FTL - FTPD Tracefile Logger - Aug 12 1994 Version 0.8 by Justin Dolske - jdolske@mail.bgsu.edu This program is SuggestionWare. :-) If use use it, please send me a suggestion on how to make it better, or just tell me you like it. Feel free to change the program around. If you do, I ask only that you change the "ver" variable to reflect this, and don't distribute the changed version without my approval. (If something breaks, I want to know it's my fault) 1. What does FTL do? FTL is a program to help anyone running a FTP site (via FTPD). FTPD has only one way to generate a log of user activity, with the "-t" option. The tracefile generated is not very useful. There is too much logged (who cares about PORT and STRU commands) and it's not very readable. FTL will take one of these tracefiles, read though it, and provide a much more readable log of server usage, along with overall statistics (ie files transfered, bytes downloaded, etc). Please note that this isn't designed as any kind of security scanner, I admit it can be easily confused/fooled. 2. What does FTL require? - OS/2 with REXX installed - IBM TCP/IP 2.0 + June 1994 CSD (June CSD or newer is *required*) - Tracefiles generated by the FTP server FTPD running with the -t option 3. How to use it... FTL is quite easy to use. First of all, you'll need a tracefile generated by FTPD with the -t option. These tracefiles are placed in the directory pointed to by the ETC variable in CONFIG.SYS, usually x:\TCPIP\ETC. The filename will be FTPD.TRC. Note that FTPD does *not* append to this file! Each time FTPD is run it will overwrite this file. Let some people login on your FTP server, transfer some files, etc. FTPD prevents reading the tracefile while it is running, so you must close the server to be able to read the file, Control-C works nicely. If you havn't allready, take a look at the contents of the tracefile. Not very nice, huh? The tracefile seems to be geared more for debugging than for logging server activity. At this point you can copy FTPD.TRC to the directory FTL is in, and just run "FTL" (or "FTL |more" to pause after each screen). For more FTL options, check out the next section... 4. FTL Command Line Options Command line option are not case sensitive. [-0|1|2|3] - Specify level of logging. "-0" is the shortest, displaying only a summay of server usage. "-1" (the default) and "-2" show more info for each user, and "-3" shows a bunch of debugging info. [-t tracefile] - Specify the input file. This cannot include a path. [-l logfile] - Write the log generated to a file. (eg -l LOGFILE.TXT) [-q] - Don't display the log on the screen. Really only useful with the -l option when running FTL from a batch file. [-h] - Resolve IPs found. This requires NSLOOKUP to be in the path. (Every TCP/IP installation should be allready setup for this) [-?] - Display available options Running "ftl" is equivalant to "ftl -1 -t FTPD.TRC". 5. Things to note while running FTL FTL is not meant to be any sort of security program, it just notifies you of normal system usage. If you're in need of security logging/features such as those in a good ftpd for Unix, pester IBM to improve their ftpd. The tracefile is first sorted by socket before it's parsed. I'm currently using a really slow sorting algorthim. Big tracefiles may take awhile to sort. When FTL encounters a command in a tracefile it doesn't understand, it will report it (you must call FTL with the "-2" option to see this) and try to continue. FTL should be able to handle all commands given to the ftp server, even if it doesn't actually *do* anything. I think I've implemented all the commonly used stuff, but if you're using some of the more obscure commands (like proxy servers and appending files) lemme know and I'll toss those in sooner. If you're consistantly seeing commands it doesn't handle, let me know so I can get it fixed! After all, I use this program too. ;-) In some cases, FTL may encounter an unknown result from a command. I've tried to generate all possible replys from commands, but it's possible some may have slipped through. If this happens, FTL will report something to the effect of "ERROR: Unknown Result Code...". If this happens, FTL will skip the rest of the commands entered by that user and move to the next user. If you encounter this, please let me know. 6. Known Bugs: - The -t and -l options cannot point to other directories. - Trying to open a non-existant file generates a confusing error message - The SortTraceFile routine is really bad... It works, but was just a quick kludge on my part. Veeery slow. 7. Soon to come... (maybe :-) - Running summary between tracefiles (eg weekly statistics, stats-to-date) - Matching usernames to valid sites. (eg if username "beta_tester" is connecting from sites other than those you're approved.) - Nicer output, "Socket xx did this..." gets a little tedious. 8. A final note... This is still being developed! Expect it to not handle all kinds of stuff. If FTL burps on your tracefile, please send me either the portion of the tracefile where it's dying, or the whole thing. I encourage suggestions for features! I'd like to make this a decent program. I know alot of people were upset at IBM for not including any way to monitor ftpd activity (pre CSD days), and I think that tracefiles help a little, but not much. Tracefiles are just that, for tracing not logging. That's it... Lemme know what ya think! 9. Contacting the author, getting the newest version... Since this is a program I use too, I want to hear your suggestions, complaints, and comments. email: jdolske@mail.bgsu.edu IRC: I'm often on #os/2 as Bob_Ross The newest version should be available on my ftp server, donut.bgsu.edu. I'll upload major changes to hobbes.nmsu.edu, but intermediate versions will only be on my system (anonymous ftp).